Cisco Cisco FirePOWER Appliance 8360
42-5
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Enhancing Your Network Map
•
You can modify a host’s operating system or application identity through the FireSIGHT System
user interface. Data added through the interface is user input data.
user interface. Data added through the interface is user input data.
•
You can also import data using a command line utility. Imported data is host import input data.
The system retains one identity for each active source. When you run an Nmap scan instance, for
example, the results of the previous scan are replaced with the new scan results. However, if you run an
Nmap scan and then replace those results with data from a client whose results are imported through the
command line, the system retains both the identities from the Nmap results and the identities from the
import client. Then the system uses the priorities set in the system policy to determine which active
identity to use as the current identity.
example, the results of the previous scan are replaced with the new scan results. However, if you run an
Nmap scan and then replace those results with data from a client whose results are imported through the
command line, the system retains both the identities from the Nmap results and the identities from the
import client. Then the system uses the priorities set in the system policy to determine which active
identity to use as the current identity.
Note that user input is considered one source, even if it comes from different users. As an example, if
UserA sets the operating system through the host profile, and then UserB changes that definition through
the host profile, the definition set by UserB is retained, and the definition set by UserA is discarded. In
addition, note that user input overrides all other active sources and is used as the current identity if it
exists.
UserA sets the operating system through the host profile, and then UserB changes that definition through
the host profile, the definition set by UserB is retained, and the definition set by UserA is discarded. In
addition, note that user input overrides all other active sources and is used as the current identity if it
exists.
Understanding Current Identities
License:
FireSIGHT
The current identity for an application or an operating system on a host is the identity that the system
finds most likely to be correct.
finds most likely to be correct.
The system uses the current identity for an operating system or application for the following purposes:
•
to assign vulnerabilities to a host
•
for impact assessment
•
when evaluating correlation rules written against operating system identifications, host profile
qualifications, and compliance white lists
qualifications, and compliance white lists
•
for display in the Hosts and Servers table views in workflows
•
for display in the host profile
•
to calculate the operating system and application statistics on the Discovery Statistics page
The system uses source priorities to determine which active identity should be used as the current
identity for an application or operating system.
identity for an application or operating system.